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Topics for Today 




• Second Generation Zigbee Chips 

- EM250, CC2430, CC2530 

- How to break them. 

• A 16 Bit Rootkit 1 

- A very portable operating system, 

- easily injected into a uC application, 

- without damaging that application. 
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Notice That 



In IT, 

- Malware is common. 

- It's annoying. 

- Simple malware is detected, removed. 
In embedded systems, 

- Malware is rare. 

- No one looks for it. 

- Simple malware is undetected, sufficient. 
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Forward 




Confidentiality 

- Only to prevent plagiarism. 
Integrity 

- Only against accidental corruption. 
Availability 

- A watchdog timer. 
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IT IS A VIOLATION OF CITY OF TALLAHASSEE ORDINANCE 

87 10 & STATE STATUTE 812 14 TO WILLFULLY CUT 

BREAK OR ALTER THE SEAL OR ANY PORTION OF AN 

ELECTRIC METER INSTALLATION. A FEE OF $150 PLUS 

COST OF REPAIR. REPLACEMENT AND INVESTIGATION 

FEES IN ADDITION TO THE ESTIMATED LOSSES WILL BE 

CHARGED FOR SUCH VIOLATION FOR INFORMATION OR 

TO REPORT SUCH ACTIVITY CALL 891-6814 OR 891-5053 

CITY OF TALLAHASSEE 
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In this Episode 




EM250 

- WTF were they thinking? 
CC2430/CC2530 

- Keys are easily extracted. 
MSP430 

- A rootkit design. 

- How to recognize one, or to build one. 
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Disclaimers 




EM250/260 

- EM3xx will be better. 
CC2430/CC2530 

- CC430 will be better. 
MSP430 

- MSP430 only chosen for a concrete 

example. 
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Brief Review: Microcontrollers 



Little computer. 

- 8 or 16 bit 

- Von Neumann or Harvard 

- Internal Flash/RAM 

- No/partial MMU 
Still a computer. 



Brief Review: Wireless Sensors 




Radio+MCU=WSN 

Ultra low power, long deployment. 

Mesh Networking 

Applications 

- Smart Grid 

- Military 

- Wildlife, Geological Research 
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Brief Review: Terms 




• 802.15.4, MAC and lower layers. 

• Zigbee, upper layers. 

• MSP430, a 16 bit uC 

• First Gen Radios, just a radio 

• Second Gen Radios, radio+|iC 
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part 1: 
Second Generation Zigbee Chips 



Travis Goodspeed 
Black Hat 09 
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First Generation 




• CC2420, EM2420 

- Same chip! 

• Just a radio. 

- Keys are sent by SPI. 

- As cleartext. 
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Zigbee Bus Snooping 




• First presented at S4 Miami. 

- Later Source Boston, HackADay. 

- Workshop at Defcon! 

• Dirt simple, 

- Stick needles into the board's test points. 

- Capture SPI traffic live. 

- Read the AES128 key. 

- Set your radio to the same. 
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Bus Snooping: Scop 
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Bus Snooping: Sniffer 
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People are mean! 

Q Bruce said... 

The ZigBee Smart Energy Profile (SEP) uses certificates for 
secure communication. Simply knowing the link or network 
keys is pretty much useless unless you also have a certificate 
from the licensing body (Good luck, they are a royal pain in the 
a$$ even to those who are paying their exorbitant fees). 

At this point, the vast majority of pilots and products out there 
that support SEP are based on the EM 2 50, and not the TI 
CC2420. Utilities are requiring the security and standardization 
that the SEP provides. 



I consider this blog to be cute. However, it has shown that 
politicians with mediocre minds will over react to anything that 
serves their purpose. 

MARCH 24, 2009 10:36 PM 



m- 



Again 




"...the vast majority of pilots and products 
out there that support SEP are based on 
the EM250, and not the Tl CC2420. 
Utilities are requiring the security and 
standardization that the SEP provides. ..." 

- Bruce 
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EM250 




• 12MHz XAP2b 16-bit microcontroller core 

- 128kB Flash and 5kB RAM 

- 128-bit AES hardware engine 

- <luA sleep current w/ internal RC oscillator 

running 

• Also a radio. 
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So to be clear. 




The argument is: 

- The CC2420 is vulnerable. 

- The EM250 doesn't expose keys by SPI. 

- Therefore, EM250 boards are secure. 
The argument is wrong. 

- Let's see why! 
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EM250 Chip 



16 bit Harvard XAP2 

- 1999 design by Cambridge Consultants 
Insight® for Debugging 

-JTAG Variant 
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EM250 Programming 




• OTA and by Serial Port 

- Bootloader of some sort. 

- Might be vulnerable. I haven't looked. 

• Serial Port 

- Vulnerable to glitching, but don't bother. 

• InSight® 

- Wide open. 



InSight® Port 



Vdd 

GND 

GND 

SIF_LOADB 

PTI EN 
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SIF_MISO 
SIF_MOSI 
SIF_CLK 
RSTB 
PTI DATA 



from SPZB260ADP 
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Insight® Cable 
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EM2xx Conclusions 



Insight® 

- Lacks a fuse. 

- Exploitable with Ember's own tools. 
Locally indefensible. 
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CC2430 




Tl/Chipcon 
System on a Chip 

- 802.15.4 radio 

- 8051 mC 
Debugging 

- SPl-like 

- MOSI/MISO on a single pin. 
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CC2430 Debugging 




Init Sequence 
Commands 

- CHIP_ERASE 

- GET_PC 

- DEBUGJNSTR 

- GET_CHIPID 

Reply 
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Chipcon Physical Layer 




Bits 

- MSBit first 

- Written on rising edge of clock. 

- Sampled on falling edge of clock. 
Direction 

- Master speaks first. 

- Slave replies. 
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Chipcon Debugging Protocol 




Command 

- 5b instruction 

- lb R/!R 

- 2b Objects 

to 3 object bytes 
to 1 return bytes 
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Chipcon Lock Bit 



Unlocked 

- All verbs work. 




Locked 

- CHIP_ERASE 

- READ_STATUS 

- GET_CHIP_ID 

To unlock, 

- CHIP ERASE 
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Chipcon CHIP_ERASE 



• Erases all of Flash. 

- All firmware. 

- Debug Fuse too. 

• None of RAM. 
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8051 Constant Sidebar 




8051 is Modified Harvard Architecture 

- Data Memory 

• Non-executable. 

• Quickly read/written. 

- Code Memory 

• Executable. 

• Slowly read as data. 

- Incompatible pointers. 
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Brief Review 



Von Neumann 
Unified Memory 
Executable RAM 




Harvard 
Divided Memory 

- Code 

- Data 
Unexecutable RAM 
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8051 Constant Sidebar 




• 8051 Compilers 

- All variables in Data memory, 

• unless explicitly told otherwise. 

- At initialization 

• Data is populated from Code. 

• Therefore, 

- EVERY variable is in Data by default. 

- Keys are in Data memory. 
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Chipcon Exploitation 




• GoodFET.CC 

- Erase 

- Write Data >keys.bin 

• Key search 

- Joshua Wright's Killer Bee, TBR 

- 2 seconds for upper RAM 

- 4 seconds for all of RAM 
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Chipcon Defense 




• Keep anything sensitive in Code memory. 

- See Chipcon DN200. 

• const code char foo[|="Hello World!" 

• printf(foo); 

- Won't work! 

- printfQ expects a pointer to Data memory. 
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Chipcon Summary 

All current chips are vulnerable. 
Keys are exposed unless protected. 
Protection requires some recoding. 
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Third Generation Chips 




EM3xx 

- ARM Cortex M3 uC 

- JTAG Pin Fuse 
CC430 

- MSP430 uC 

- JTAG TAP Fuse 

Neither is yet available. 



Third gen Chips: EM3xx 
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PA[7Q] PB[7 D], PC[7:0] 
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Part 1 Conclusions 




• Zigbee chips aren't very secure. 

• Next generation might be better. 

- Might not be better. 

• Local security is hard. 

- Cryptography != Security 
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Part 2: 
J A 16-bit Rootkit 

IVT Proxying/Hooking 
Initial Foothold 
Blind Command Reception 
Efficient Command Frames 
Blind Function Calling 
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History 

• 2007, I authored the first WSN exploit. 

- MSP430 infected by 802.15.4 packet 

• 2008, I authored an MSP430 R.E. kit. 

- http://msp430static.sf.net/ in Perl/SQLite 

• 2009, Mike Davis Smart Grid Worm 

- Catch his talk at 16h45. 

- Practical implementation, which mine ain't. 
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WSN Exploits in Brief 




• Memory is precious 

- A few kilobytes of free memory. 

- 128 byte packets 

• No operating system. 

- No system calls, function tables, etc. 

- Single statically-linked image. 

• Code is in Flash, not RAM. 
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This Rootkit 




Generic Installation 

- Reasonably hardware agnostic. 

- Coexists with prior firmware. 
Efficient 

- Fits in available memory. 

- Reuses victim code where possible. 

- Memory/security tradeoff. 
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MSP430 




• 16 bit RISC processor 

- Two 20 bit variants. 

• Masked ROM Bootloader (BSL) 

- Flash ROM in recent variants. 

• Chosen for a concrete example. 

- Similarities in AVR, PIC, MIPS, etc. 
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Rootkit Specifics 




How do you find a function? 

- No linking tables. 

How do you trap an incoming packet? 

- Radio drivers are inlined. 

How do you make the rootkit stealthy? 

- Would you make it stealthy? 
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Locating a Function 




Fingerprints 

- Isolate functions, then iterate. 

- Checksum bytes. 

- Call function that matches bytes. 
Ports 

- IO ports are unique to hardware. 

- Called as literal indirects. 
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Interrupt Handling 




Interrupt Vector Table 

- List of interrupt handler addresses. 

- At the top of memory in Flash. 
To proxy it, 

- Copy table to a lower address. 

- Handle each target. 

- Handler branches to original. 
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Interrupt Proxy 
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Unproxied 




, — 
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Interrupt Proxying 




Also used without malice. 
Drastically changes 

- Bootloader password. 

- Call Graph. 

- Memory usage. 

- Calling convention. 
Barely changes 

- Bvtes 
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Bootloader Password 



• Hard to fake for masked BSL. 

- Entry sequence is in hardware. 

- Not maskable on classic MSP430. 

• JTAG Fuse 

- If blown, access is restricted without pass. 

- If unblown, local attacker has access. 
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Call Graph 

• Two applications, 




F 


- Two disconnected graphs. 

- Child connections can be made, 

• CALL #0x4000 

- Parent connections are more difficult. 
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• Clearing bits is easier than setting them. 











Memory Usage 
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Linker behavior 

- Flash is at the top of memory. 

- Code grows from starting address upward. 

- Each app starts at a segment boundary. 
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Calling Convention 




• Hackers use GCC 

- rl5, rl4, rl3, rl2 

• Others use IAR 

- rl2, rl4 in IAR 3 

- rl2, rl3, rl4, rl5 in IAR 4 

• Other compilers 

- other conventions 
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Further Fingerprinting 




• switch (){} 

- Table, word offset, or byte offset? 

• mov #0xFFFF, rl5 

- Constant generator or literal? 

• Unused interrupts. 

- OxFFFF, single handler, or many handlers? 
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Locating a Rootkit 




• One app or two? 

- Memory map, register usage, gap. 

• One compiler or two? 

- Calling convention consistency? 

- Assembler, switch{} consistency? 
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Two IVTs 




0xFB78 
0xFB7C 
0xFB80 
0xFB84 
0xFB88 
0xFB8C 



0x403A, repeated 

0x40B4 

0x4068 

0x43 B8 

0x40FA 

0x4000 
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Once again, 



In IT, 

- Malware is common. 

- It's annoying. 

- Simple malware is detected, removed. 
In embedded systems, 

- Malware is rare. 

- No one looks for it. 

- Simple malware is undetected, sufficient. 
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For more information, 




TravisGoodspeed.blogspot.com 

- Compiler behavior survey. 

- MSP430static R.E. toolkit. 
GoodFET.sourceforge.net 

- Chipcon debugging. 

- Voltage glitching soon. 
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Defcon talks 




• Locally Exploiting Wireless Sensors 

- Less theory, more practice. 

• An Open JTAG Debugger 

- Mapping JTAG Registers 

- CC2430 Protocol 

- Voltage Glitching 
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Questions? 



